Commit 684c7377 authored by Clément Bœsch's avatar Clément Bœsch

framing: check for overflow on growing buffer

newsize is a long, but storage is an int. This means the allocation
could succeed but storage would overflow.

Closes #2300
parent 0bbcba4e
Pipeline #2110 passed with stage
in 1 minute and 1 second
......@@ -597,9 +597,14 @@ char *ogg_sync_buffer(ogg_sync_state *oy, long size){
if(size>oy->storage-oy->fill){
/* We need to extend the internal buffer */
long newsize=size+oy->fill+4096; /* an extra page to be nice */
long newsize;
void *ret;
if(size>INT_MAX-4096-oy->fill){
ogg_sync_clear(oy);
return NULL;
}
newsize=size+oy->fill+4096; /* an extra page to be nice */
if(oy->data)
ret=_ogg_realloc(oy->data,newsize);
else
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment